Full Report
Cisco Talos is disclosing UAT-8302, a sophisticated, China-nexus advanced persistent threat (APT) group targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025.
Analysis Summary
# Threat Actor: UAT-8302
## Attribution & Identity
- **Name/Alias:** UAT-8302
- **Origin/Nexus:** China-nexus Advanced Persistent Threat (APT) group.
- **Associated Groups (Tooling/TTP Overlaps):**
- **Jewelbug / REF7707 / CL-STA-0049 / LongNosedGoblin:** Shared use of NetDraft (NosyDoor/SquidDoor).
- **Earth Estries / Earth Naga:** Shared use of Draculoader, SNAPPYBEE/DeedRAT, and ZingDoor.
- **Erudite Mogwai (LuckyStrike Agent):** Historically utilized similar .NET backdoors.
- **UNC5174 / UNC6586 / UAT-6382:** Observed using the SNOWLIGHT stager and VSHELL malware.
## Activity Summary
UAT-8302 is a sophisticated threat group active since at least late 2024. The actor specializes in multi-stage compromises that involve the deployment of custom malware families. Recent campaigns in 2025 have showcased their expansion into Southeastern Europe following established operations in South America. The group demonstrates a high level of operational coordination by utilizing toolsets previously exclusive to other high-tier Chinese espionage clusters.
## Tactics, Techniques & Procedures
- **Primary Objectives:** Obtaining and maintaining long-term persistent access; information collection and credential extraction.
- **Lateral Movement & Proliferation:** Extensive use of open-source and dual-use tools including Impacket and SoftEther VPN.
- **Evasion & Execution:**
- Deployment of custom shellcode loaders (Draculoader).
- Use of generic stagers (SNOWLIGHT, SNOWRUST) to deploy final payloads.
- Cloud-based command-and-control (C2) mechanisms.
- **MITRE ATT&CK IDs (Inferred from context):**
- **T1071:** Application Layer Protocol (C2 via HTTP/S)
- **T1583:** Acquire Infrastructure (Use of workers.dev and VPS)
- **T1573:** Encrypted Channel
- **T1003:** OS Credential Dumping (via SharpGetUserLogin)
- **T1021:** Remote Services (SSH, VPN)
- **T1090:** Proxy (Use of AnyProxy, SoftEther)
## Targeting
- **Sectors:** Government agencies and related entities.
- **Geography:**
- **South America** (Late 2024 - ongoing)
- **Southeastern Europe** (Early 2025 - ongoing)
- **Victims:** Explicitly mentions government organizations; previously associated tooling has targeted Russian IT and Southeast Asian/Japanese government entities.
## Tools & Infrastructure
- **Custom Malware:**
- **NetDraft:** A .NET-based backdoor (variant of FinalDraft/SquidDoor/NosyDoor).
- **CloudSorcerer (v3):** A sophisticated backdoor using cloud infrastructure for C2.
- **SNOWRUST:** A new Rust-based stager.
- **SNOWLIGHT:** A stager for VSHELL.
- **VSHELL:** A custom backdoor.
- **SNAPPYBEE / DeedRAT / ZingDoor:** RATs often deployed in conjunction.
- **Draculoader:** Shellcode loader.
- **Open-Source/Common Tools:** Impacket, AnyProxy, QScan, Httpx, SoftEther VPN, SharpGetUserLogin, Naabu, PortQry, Dddd.
- **Infrastructure:**
- **Domains:**
- drivelivelime[.]com
- msiidentity[.]com
- trafficmanagerupdate[.]com
- update-kaspersky[.]workers[.]dev
- **IP Addresses:**
- 85[.]209[.]156[.]3
- 185[.]238[.]189[.]41
- 103[.]27[.]108[.]55
- 38[.]54[.]32[.]244
- 45[.]140[.]168[.]62
- 88[.]151[.]195[.]133
- 156[.]238[.]224[.]82
- 45[.]135[.]135[.]100
## Implications
UAT-8302 represents a highly collaborative or centralized resource-sharing model within the Chinese intelligence ecosystem. Their access to "private" toolsets like CloudSorcerer and NetDraft suggests they are a high-priority threat actor. Their shift toward Rust-based tooling (SNOWRUST) indicates an evolution toward cross-platform capabilities and better detection evasion.
## Mitigations
- **Network Defense:** Implement strict outbound filtering to block unknown IPs and domains, specifically inspecting traffic to legitimate cloud services (like Cloudflare Workers) used for C2.
- **Endpoint Protection:** Monitor for the execution of unauthorized tools such as Impacket, SoftEther, or SharpGetUserLogin.
- **Vulnerability Management:** Specifically patch Internet-facing assets (referencing the group's association with zero-day exploitation like CVE-2025-0994).
- **Behavioral Analysis:** Look for shellcode injection patterns associated with Draculoader and the use of Rust-compiled binaries in unexpected directories.